Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Comstar, LLC, a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation concerning a ransomware breach that affected 585,621 individuals. OCR initiated an investigation after receiving Comstar’s breach report, dated May 26, 2022, that an unknown actor had gained unauthorized access to Comstar’s network servers on March 19, 2022. Comstar did not detect the intrusion until March 26, 2022. Ransomware was used to encrypt Comstar’s network servers and the ePHI of approximately 585,621 individuals was affected.
At the time of the breach, Comstar was a business associate of over 70 HIPAA-covered entities. The type of ePHI impacted was clinical, including medical assessments and medication administration information. OCR’s investigation determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds.